The importance and sensitive nature of medical records can never be undermined. These are legal documents containing valuable healthcare details, and are required for medical record review in personal injury, medical negligence, product liability and mass tort cases. Custodians of medical records have to be extremely cautious regarding the safety and confidentiality of these documents to avoid litigation and penalties. Even so, data breaches occur frequently and the medical records are compromised. Reasons for the breach may be diverse – unauthorized access, poor maintenance, security breaches and so on. The HIPAA rule mandates that personally identifiable healthcare information must not be shared without the express consent of the patient concerned. This means that all entities covered under HIPAA must obtain the written authorization of the patient before sharing PHI (protected health information) with external organizations and individuals. Even lawyers placing a request for medical records have to submit a form that is compliant with HIPAA.
In a recent case involving Florida Department of Health clinics in Palm Beach County, state officials say that the medical records of more than 1,000 patients have been breached. These patients are at risk of identity theft because the sensitive information breached includes Social Security numbers, dates of birth, medical record numbers and phone numbers. It is not yet clear whether the breach resulted from a computer hack, stolen documents or some other cause.
Class action lawsuits may be brought against such healthcare entities that fail to safeguard PHI, which brings us to another significant question. Healthcare entities are typically insured; and are the insurers required to defend such class action lawsuits when a healthcare entity fails to properly secure patient records on its server? Let us examine this in the light of a recent such case in the United States. An alleged failure on the part of Portal Healthcare (Portal) to secure a server led to medical records of patients becoming freely accessible online.
- Apparently, 2 of Portal’s liability policies provided cover for the electronic publication of materials.
- Portal’s insurer Travelers Indemnity Company of America (Travelers) denied coverage and refused to defend Portal in the class action.
- Travelers CGL (Commercial General Liability) policies provided coverage for “electronic publication of material that …………… discloses information about (or gives unreasonable publicity to) a person’s private life.”
- Travelers filed a suit seeking a declaration that it did not have a duty to defend or indemnify Portal with regard to the class action suit. Their argument was that the class action suit did not allege a covered “publication” by Portal.
- However, a Virginia federal district court determined that Travelers had a duty to defend, calling upon a dictionary definition of “publication,” namely, “to place before the public (as through a mass medium).” The district court held that the medical records were published the moment they became accessible to the public via a search on the internet.
- Travelers appealed and insisted that the class action complaint did not trigger its duty to defend. Acknowledging Virginia’s eight-corners rule, the Fourth Circuit agreed with the district court that the class action complaint “at least potentially or arguably” alleged “publication” of private medical information. Since any member of the public who had an internet connection could have viewed the PHI on Portal’s servers, the Fourth Circuit concluded a “publication” could have theoretically occurred.
This case has a rather unusual fact scenario, with the insured itself responsible for allegedly allowing the medical records to be available freely on the internet. The usual scenario is when hackers are responsible for the data breach, or when the insured’s employee loses a laptop and so on. The insured entity is required to notify all those affected by the breach. Whether the insured or hackers are responsible for the “publication” can make all the difference in a case. Whether cyber breaches are covered or not under the “personal and advertising injury” section of CGL policies depends on the particular circumstances of each case.
The above case emphasizes the fact that claims originating from cyber breaches may be covered under CGL insurance policies though conventionally it may not have been the intention of such claims to come within the realm of this insurance cover. Insurers who don’t want to cover cyber liability under a general liability policy will have to be careful about their policy wordings and introduce exclusions if required. New CGL policies incorporate cyber exclusions, and it will be rather challenging for the insured to argue coverage for data breaches in CGL policies.
Ultimately, the court will be the decision maker regarding whether or not a data breach is covered by a CGL policy. The insured may not always win the case and the decision may vary depending on specific facts of the case, jurisdiction and the policy language. With the above mentioned Fourth Circuit decision, CGL policies will surely continue to change and you can expect more data breach and computer network security exclusions to be added to the policy.
Both the insured and the insurer need to ensure they are not exposed to such risks and litigation. Cyber and data security related insurance claims are bound to increase. The insured and the insurer need to work together to face such challenges successfully.